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Abstract 

Distributed fault diagnosis solutions are becom- 
ing necessary due to the complexity of modern 
engineering systems, and the advent of smart 
sensors and computing elements. This paper 
presents a novel event-based approach for dis- 
tributed diagnosis of abrupt parametric faults in 
continuous systems, based on a qualitative ab- 
straction of measurement deviations from the 
nominal behavior. We systematically derive dy- 
namic fault signatures expressed as event-based 
fault models. We develop a distributed diagnoser 
design algorithm that uses these models for de- 
signing local event-based diagnosers based on 
global diagnosability analysis. The local diag- 
nosers each generate globally correct diagnosis 
results locally, without a centralized coordinator, 
by communicating a minimal number of mea- 
surements between themselves. The proposed ap- 
proach is applied to a multi-tank system, and re- 
sults demonstrate a marked improvement in seal- 
ability compared to a centralized approach. 

1 INTRODUCTION 

The complexity of modem engineering systems war- 
rants the adoption of fault diagnosis capabilities to en- 
sure system safety, reliability, and availability. Faults 
must be quickly isolated so that mitigation or recovery 
actions may be taken. As systems become more com- 
plex, it is correspondingly more difficult to develop 
and deploy centralized diagnosis solutions. Further, 
such centralized schemes have single points of failure, 
do not scale as the size of systems increases, and have 
large computational and memory requirements. This, 
along with the increased pervasiveness of distributed, 
networked components, fuels the need for distributed 
diagnosis frameworks. 

In previous work, we have developed a centralized 
framework for qualitative event-based diagnosis for 
parametric faults in continuous systems (Daigle et al., 
2009). Deviations of measured behavior from pre- 
dicted nominal behavior, termed fault signatures , are 


captured qualitatively using magnitude and slope sym- 
bols, forming the basis of the qualitative fault isolation 
scheme (Mosterman and Biswas, 1999). The orders in 
which these deviations manifest, termed relative mea- 
surement orderings, are also used for fault isolation, 
thus forming event-based descriptions of fault-induced 
behavior. This diagnostic information may be com- 
puted from the system model and used to build event- 
based diagnosers similar to those used for discrete- 
event systems (DES) (Sampathef al., 1996). However, 
this centralized approach scales poorly, because as the 
number of faults and measurements increases, the pos- 
sible number of event traces increases as well. 

To address the problems of centralized diagnosis, 
we apply the distributed diagnoser design methodol- 
ogy presented in (Roychoudhury et al., 2009) to the 
formal event -based framework developed in (Daigle et 
al., 2009). The distributed diagnoser design approach 
of (Roychoudhury et al., 2009) is based on global di- 
agnosability analysis, where the local diagnosers are 
designed to provide globally correct diagnosis results, 
without a centralized coordinator, and by communicat- 
ing a minimal number of measurements among them- 
selves. The approach does not incorporate measure- 
ment orderings, but the addition of measurement or- 
derings improves diagnosability, allowing the local di- 
agnosers to be more efficient. 

This paper presents, using a multi-tank system as a 
case study, how a global event-based diagnoser may 
be decomposed into several independent local event- 
based diagnosers, each of which leverages measure- 
ment orderings for diagnosis. We develop an algorithm 
for designing distributed diagnosers based on the ideas 
of (Roychoudhury et al., 2009), but which uses mea- 
surement orderings to guide the diagnoser design pro- 
cess. Distributed diagnoser design results demonstrate 
the reduction in diagnoser size that may be obtained 
using this approach, resulting in, for each subsystem, 
a small, compact local diagnoser capable of provid- 
ing globally correct diagnoses of local faults. Results 
demonstrate the improved scalability of the distributed 
approach over a centralized approach. 

The paper is organized as follows. Section 2 for- 
mulates the system model. Section 3 reviews quali- 
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Figure 1 : Tank system schematic. 


tative fault isolation and event-based fault modeling, 
and defines diagnosability in the event-based frame- 
work. Section 4 describes the distributed diagnoser 
design problem. Section 5 discusses the global and lo- 
cal diagnoser construction, and Section 6 demonstrates 
the approach in simulation, and provides scalability re- 
sults. Section 7 concludes the paper. 


2 MODEL FORMULATION 


We consider the problem of single fault diagnosis in 
continuous systems. We assume the system, S , is de- 
scribed by 

x(f) = f(x(f), 0(f), u(t)) + v(f) 
y(<) = h(x(f), 0(f), u(f)) + n(f), 


where x(f) G is the state vector, 0(f) G 
is the parameter vector, u(f) G R"“ is the input vec- 
tor, v(f) G ffi" 1 ’ is the process noise vector, assumed 
to be zero-mean Gaussian, f is the state equation, 
y(t) G is the output vector, n(t) G is the 
measurement noise vector, assumed to be zero-mean 
Gaussian, and h is the output equation. The dimen- 
sion of a vector a is denoted by n a . 

We denote a measurement as to, which is a time- 
varying signal of y(f) obtained from an associated sen- 
sor. A measurement set is denoted as M. 

We consider single, abrupt, parametric faults, where 
faults are modeled as unexpected step changes in sys- 
tem parameter values. We name faults by the asso- 
ciated parameter and the direction of change, i.e., 6 + 
denotes a fault defined as an increase in the value of 
parameter 0, and 9~ denotes a fault defined as a de- 
crease in the parameter value. We denote a fault as / 
and a set of faults as F. 

Throughout the paper, we will use a multi-tank sys- 
tem as a running example. The tanks are connected 
serially as shown in Fig. 1, and we will consider a vari- 
able number of tanks. For tank i, Ui denotes the input 
flow, Ci denotes the capacitance, and II, denotes the 
drain pipe resistance. For tanks i and j, R,j denotes 
the resistance of the connecting pipe. For an n-tank 
system, the pressure of tank i = 1 is described by 


ft = 7 G (ft - Jr (ft) - p ( Pi ~ Pi+ij) , 

\ lXj + l ' 


of tanks * = 2, . . . , n — 1 by 


Pi = py (ft + p (Pi- 1 ' Pi) 

\ 1,2 

- Jr (ft) - -w~ — (Pi-Pi+ii), 

Hi lM,i + 1 ' 


and of tank i = n by 

i>i = pr Ui ~ Jr (ft) - -5- — (ft-i - ft)) • 

\ Hi Hi-i^i / 

The complete fault set consists of {C~ , Cf , R ~ , Rf : 
i = 1, . . . , n} U {R~ i+1 , R+ i+1 : i = 1, . . . , n - 1}. 
The complete measurement set is defined as { q t : i = 
1 ,n}, where q, describes the output flow of tank 
i, i.e., 

Qi = J-(ft)- 

Hi 

3 QUALITATIVE EVENT-BASED DIAGNOSIS 
FRAMEWORK 

We develop an event-based, qualitative diagnosis 
framework. Faults are viewed as unobservable events, 
manifesting as persistent abrupt changes in system pa- 
rameter values. These faults cause transients in the 
system behavior, causing deviations in observed mea- 
surement values from nominal measurement values. 
In this section, we first review the theoretical frame- 
work for qualitative fault isolation, followed by a for- 
mal framework for event-based fault modeling. 

3.1 Qualitative Fault Isolation 

Measurement deviations from nominal values caused 
by faults are abstracted using qualitative +, -, and 
0 values to form fault signatures (Mosterman and 
Biswas, 1999). Fault signatures represent these devi- 
ations as the immediate change in magnitude and the 
first nonzero derivative change. 

Definition 1 (Fault Signature). A fault signature for a 
fault / and measurement to is the qualitative magni- 
tude and slope change in to caused by the occurrence 
of /, and is denoted by <Tf. m G ru- 
in general, ambiguities may exist in the fault signa- 
tures, so <Jf,rn may not be unique. A fault signature is 
written as S 1 S 2 , where Si is the qualitative magnitude 
change and .s ‘2 is the qualitative slope change, e.g., -t — . 

We also capture the temporal order of measure- 
ment deviations, termed relative measurement order- 
ings (Daigle et al., 2007b), based on the intuition that 
fault effects will manifest in some parts of the system 
before others. Measurement orderings are based on 
analysis of the transfer functions from faults to mea- 
surements (Daigle et al., 2007b). 

Definition 2 (Relative Measurement Ordering). If 
fault / manifests in measurement rri, before measure- 
ment rrij, then we define a relative measurement or- 
dering between mi and rrij for fault /, denoted by 
to,; ~<f rrij. We denote the set of all measurement 
orderings for / as 

The fault signatures and measurement orderings can 
be computed automatically from a system model. One 
method is to use a temporal causal graph (TCG) repre- 
sentation that is derived from the system model, along 
with a forward propagation algorithm to predict quali- 
tative effects of faults on measurements and their pos- 
sible sequences of deviations (Daigle, 2008). 

The fault signatures and measurement orderings for 
a three-tank system with F = {Cf ,Cf ,Cf ,Ri -R^ , 
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Table 1 : Fault Signatures and Relative Measurement 
Orderings for the Three-tank System 


Fault 

Qi 

g 2 

93 

Measurement Orderings 

cr 

+- 

0+ 

0 + 

q -\ -< 92, qi A q 3 , g 2 A 93 

c 2 - 

0 + 

+- 

0 + 

92 A 91, 92 A 93 

c 3 ” 

0 + 

0+ 

+- 

92 A 91, 93 A 91, 93 A 92 

R+ 

-+ 

0+ 

0 + 

9 i A 92, 91 A 93, 92 A 93 

R+ 

0 + 

-+ 

0 + 

92 A 91, 92 A 93 

Rt 

0 + 

0+ 

-+ 

92 A 91, 93 A 91, 93 A 92 

Ry 2 

0 + 

0- 

0- 

92 A 93 

R-23 

0 + 

0+ 

0- 

92 A 91 


•^3" >-^12 >-^23} anc * M = {91, 92, 93} are shown in Ta- 
ble 1 . For example, a decrease in the capacitance of 
tank 1 , denoted by Cf , causes a discontinuous in- 
crease in the tank 1 output flow, q-\ , followed by a 
smooth decrease, denoted by the signature +-. This 
is followed by smooth increases in q 2 and then q 3 . The 
tanks provide natural delays of the propagation of fault 
effects, which manifest in the computed orderings. 

3.2 Event-based Fault Modeling 

Fault signatures combined with relative measurement 
orderings provide event-based information for diagno- 
sis. For a given fault, the combination of all fault sig- 
natures and measurement orderings yields all the pos- 
sible ways a fault can manifest in the measurements. 
We denote each of these possibilities as a fault trace. 

Definition 3 (Fault Trace). A fault trace for a fault f 
over measurements M, denoted by A f t M, is a string of 
length < \M\ that includes, for every m G M that will 
deviate due to /, a fault signature <jf m , such that the 
sequence of fault signatures satisfies (if m- 

Note that the definition implies that fault traces are 
of maximal length, i.e., a fault trace includes devia- 
tions for all measurements affected by the fault. We 
group the set of all fault traces into a fault language. 
The fault model, defined by a finite automaton, con- 
cisely represents the fault language of a fault. 

Definition 4 (Fault Language). Th e fault language of 
a fault / G F with measurement set M, denoted by 
LfM , is the set of all fault traces for / over measure- 
ments M. 

Definition 5 (Fault Model). The fault model for a fault 
/ G F with measurement set M, is the finite au- 
tomaton that accepts exactly the language L/.Mj and 
is given by C = (S, Sq, E, 5 , A) where S' is a set of 
states, so G S is an initial state, E is a set of events, 
(5:SxE— > S' is a transition function, and A C S is 
a set of accepting states. 

The finite automata representation allows for the 
composition of the fault signatures and relative mea- 
surement orderings into fault models. The possi- 
ble fault signatures and measurement orderings can 
be composed automatically to form the fault models 
based on the synchronization operation (Daigle et al., 
2009 ). 

Selected fault models for a three -tank system are 
shown in Fig. 2 . For example, as seen in C c - , the 



Figure 2 : Fault models for some faults of the three- 
tank system, where M = {<?i, q 2 , 93}- 

fault Cf may manifest as the fault traces q 2 qi + q 3 + 
and q 2 as implied by the fault signatures and 

measurement orderings. 

3.3 Diagnosability 

With the formal fault isolation framework defined, we 
may now establish the notions of distinguishability and 
diagnosability in this framework. Using these defini- 
tions, we can then formally define the distributed di- 
agnoser design problem. Distinguishability between 
faults is characterized as follows. 

Definition 6 (Distinguishability). With measurements 
M, a fault fi is distinguishable from a fault fj, denoted 
by fi 'X'm . fj , if fi always eventually produces effects 
on the measurements that /, cannot. 

Under our framework, one fault will be distinguish- 
able from another fault if it cannot produce a fault trace 
that is a prefix (denoted by C) of a trace that can be 
produced by the other fault 1 . If this is not the case, 
then when that trace manifests, the first fault cannot be 
distinguished from the second. 

We define a system in our framework as follows. 

Definition 7 (System). A system S is tuple 
(F,M,L f>m ), where F = {/1, / 2 , • ■ ■ , /„} is a 
set of faults, M is a set of measurements, and 
Lf.m = {Lf lt M,Lf 2 ,Mi-- ■ 1S the set °f 

fault languages. 

If a system is diagnosable, then we can make guar- 
antees about the unique isolation of every fault in the 
system. 

Definition 8 (Diagnosability). A system S = 
(F,M,L fm ) is diagnosable if {Vfi,fj G F)/> ^ 

fj => fi °°M fj- 

If S is diagnosable, then every pair of faults is dis- 
tinguishable using the measurements in M . So, each 
fault trace we observe can be linked to exactly one 
fault, meaning that we can uniquely isolate all faults 
of interest. If S is not diagnosable, then ambiguities 

'A fault trace A; is a prefix of fault trace Xj if there is 
some (possibly empty) sequence of events \k that can extend 
A i such that XiXk = Xj. 
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will remain after fault isolation, i.e., after all possible 
measurement deviations have been observed. 

4 DISTRIBUTED DIAGNOSER DESIGN 

Given a system that is diagnosable 2 , our objective is to 
decompose the overall diagnosis task into smaller sub- 
tasks performed by local diagnosers with the following 
properties: (i) all single faults of interest in the system 
can be diagnosed, and (ii) the local diagnosis results 
are globally correct. These two properties eliminate 
the need for a centralized coordinator. 

The system S is split into n subsystems, where each 
fault is assigned to exactly one subsystem, and each 
subsystem gets a subset of the complete measurement 
set. The subsystem definitions are provided by the user 
as input. 

Assumption 1. S = (F,M,L f , m ) is split into Si, 
S‘ 2 , .... S n , where S t = (Fi, Mi, Lf^mJ, such that 
(0 F = Fi U F 2 U . . . U F n , (ii) Vi ^ j € [l,n], 
Ft n Fj = 0, and (Hi) Vi M, C M. 

Subsystems may be locally diagnosable. A locally 
diagnosable subsystem is one in which its own faults 
can be uniquely isolated using its own measurements. 

Definition 9 (Local Diagnosability). A subsystem 
S-t — (Fi, Mi, Lp. Mi ) is locally diagnosable if (V/j G 
Fi,fj g Fi) fi ^ fj => fi oo Mi fj. We say two 
faults fi g Fi and fj g F, are locally distinguishable 
if fi °° Mi fj- 

Local diagnosability is not sufficient for local di- 
agnosers to achieve globally correct diagnoses. The 
problem is that for S, , there may be some fi g F, and 
for Sj, some fj g Fj, such that fj produces the same 
effects on M* as fi does. The result is that, if f j occurs 
local diagnoser i will say that f, has occurred. In gen- 
eral, we may have faults in a subsystem that are distin- 
guishable from faults local to the subsystem, but which 
may not be distinguishable from faults outside the sub- 
system. For the local diagnosers to achieve globally 
correct local diagnoses, the subsystems must satisfy a 
notion of global diagnosability . 

Definition 10 (Global Diagnosability). A subsystem 
Si = (Fi, Mj, Lp it Mi) belonging to system S = 
(F,M,L f ,m) is globally diagnosable if (V/j g 
Fi , fj g F)fi j- fj => fi * Mi fj. We say two 
faults fi g F, and fj g F are globally distinguishable 
if fi °°Mj fj- 

That is, a subsystem Si is globally diagnosable if 
all the faults Fj are distinguishable from every other 
fault / g F using only the measurements in Mj . If the 
subsystems can be structured such that each subsystem 
Si is globally diagnosable, then each local diagnoser 
can independently generate local diagnoses which are 
globally correct. 

For example, consider the three-tank system defined 
earlier, with F = {Cf ,Cf ,C 3 ,Rf ,Rf,Rf,Rf 2 , 

2 If the system 5 is not diagnosable, we can define aggre- 
gate faults, where an aggregate fault is a set of faults that are 
indistinguishable from each other. The diagnosis methodol- 
ogy can be applied to the modified fault set that includes the 
aggregate faults (Roychoudhury et al,, 2009). 


Rf 3 } and M = {gi, g 2 , q 3 }. Let us define a subsys- 
tem for each tank, where for i = 1, . . . , n — 1, <Sj is 
defined by Fj = {C~ , Flf , R+ i+1 } and Mj = {*}, 
and for i = n, Si is defined by Fi = {C~ , Rf } and 
Mi = { t 7 i } . Consider tank 1. If 0+ is observed for 
qi, then that may be the result of local fault Rf 2 or any 
of the nonlocal faults (see Table 1). Clearly, <Si is not 
globally diagnosable. Note that it is locally diagnos- 
able, as the three local faults each produce a different 
effect on the sole measurement of the subsystem, q-\ . 

Different design problems may be defined which de- 
termine partitions of the fault set F and/or the assign- 
ment of measurements to subsystems (Roychoudhury 
et al., 2009). In each case, the end result must be a set 
of globally diagnosable subsystems. In this paper, we 
focus on the problem where S is already partitioned 
into subsystems, but each S, may not be globally di- 
agnosable. We define the distributed diagnoser design 
problem as determining, for each Si, the minimal num- 
ber of measurements to pull in from other subsystems 
to achieve global diagnosability. Formally, the prob- 
lem can be defined as follows. 

Problem (Partitioned System Diagnoser Design). 
Given n subsystems, where Si = (Fi, Mi, Lf^mJ, 
construct, for each subsystem, a measurement set 
Mj + C M such that (i) Mf~ — Mi is minimal, and 
(ii)S' i = (F i ,M+,L FiM+ ) is globally diagnosable. 

This problem is a variation of the measurement se- 
lection problem, which is an instance of the set cover- 
ing problem, known to be NP-complete (Narasimhan 
et al., 1998). Our goal, while designing the local di- 
agnosers, is to minimize the sharing of measurements 
across subsystems in order to limit the size of the local 
diagnosers and their communication requirements. We 
simplify the measurement search using measurement 
orderings as a guide, based on the intuition that mea- 
surements that deviate before others are more help- 
ful. Further, these measurements provide the fastest 
diagnosis. To do this, for each fault that is not glob- 
ally distinguishable, we determine the measurements 
that deviate first by looking at the measurement order- 
ings, and this set of measurements over all the glob- 
ally indistinguishable faults forms the current work- 
ing measurement set, i.e., measurements with which 
we try to resolve global diagnosability. This heuris- 
tic simplifies the search process, but the algorithm is 
still exponential in the general case, where 0( 2l M l) 
measurement sets must be considered for a single sub- 
system. The heuristic reduces the number of measure- 
ments to consider at each iteration, so only 0( 2^ Mi I) 
combinations end up being considered, where typi- 
cally, |Mj + | |M|. The introduction of the heuris- 

tic trades off optimality of the diagnoser design for al- 
gorithm efficiency. Additional heuristics may also be 
used, e.g., the subsystem distance heuristic presented 
in (Roychoudhury et al., 2009). 

The distributed diagnoser design procedure is given 
as Algorithm 1 . For a diagnosable system S, for each 
Si, we first determine, using diagnosability analysis, 
the set of faults F* C Fj which are not globally dis- 
tinguishable using Mj. At each iteration, for each fault 
that is not globally distinguishable using the current 
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Algorithm 1 Distributed Diagnoser Design 

Input: § = {Si = (Fi, M„ L Fi , Mi ) : i = 1, . . . ,n} 

for all Si £ S do 

F* - {/* : fi fj for ff £ FiJj £ F, and 

ft fj} 

Mf <- Mi 

while F* A 0 do 
for all /* £ F* do 

M f * <- {m : 3m', (rn! <m)$ 

end for 

identify minimal M* C suc h that 

Mf U M* isolates maximal F' C F* 

Mf <- M+ U M* 

p* <_ p* _ p' 

-*-4 x l x l 

end while 

construct T> F M + 

end for 


measurement set, Mf, we compute the set of mea- 
surements out of M — Mf that may deviate first for 
the fault, as Mf *. We then find the minimal set of 

measurements to add to Mf from the set of measure- 
ments found in this way over all f* that resolves the 
most globally indistinguishable faults, and add these to 
Mf. The process repeats until Si is globally diagnos- 
able, resulting in the local diagnoser V F M +, whose 

construction is described in the next section. 

It is easy to see that Algorithm 1 always succeeds 
in making S, globally diagnosable, because (i) S is 
diagnosable, so global diagnosability for S, can be 
achieved (at worst by setting Mf = M), and (ii) the 
algorithm continually adds measurements to Mf un- 
til Si is globally diagnosable (and in the worst case all 
measurements are considered). 

We apply this algorithm to the //-tank system, where 
for i = 1 , . . . , n — 1 , Si is defined by Fj = 
{Cf , Rf , Rf >i+1 } and M t = {^}, and for i = n. 
Si is defined by Fj = [Cf , Rf } and Mi = {9,}. 
For tank 1, Rf 2 is not globally distinguishable. From 
the measurement orderings, 92 will deviate before 93 , 
so Mf = {<72}- This measurement alone is sufficient 
to add to Mf to obtain global diagnosability, so no 
further iteration is necessary. For tank 2, Rf 3 is not 
globally distinguishable, and both qi or q 3 belong to 
Mf. Measurement 93 alone is sufficient to achieve 
global diagnosability. For tank 3, the subsystem is 
already globally diagnosable. The new measurement 
sets are therefore Mf = {93,92}, Mf = {92,93}, 
and Mf = { 93 }. 

5 DIAGNOSER IMPLEMENTATION 

In this section we describe the construction of the 
event-based diagnosers. The goal of the event-based 
diagnoser is, given a sequence of measurement devi- 
ation events, to determine which faults are consistent 
with the observed sequence. We define formally a di- 
agnosis and a diagnoser in our framework (Daigle et 
ai, 2009). 



Figure 3: Diagnosers for some individual faults of the 
three-tank system, where M = {91, 92, 93}- 

Definition 11 (Diagnosis). A diagnosis d C F is a set 
of faults, each of which is consistent with the observa- 
tions. 

Definition 12 (Diagnoser). A diagnoser for a fault 
set F and measurement set M is a tuple T>f,m = 
( S , so, S, 5, A , D , Y) where S' is a set of states, so £ S 
is an initial state, S is a set of events, S : S x S — > S 
is a transition function, AC 5 is a set of accepting 
states, D C 2 F is a set of diagnoses, and Y : S — > D 
is a diagnosis map. 

A diagnoser is a finite automaton extended by a set 
of diagnoses and a diagnosis map. It takes events as in- 
puts, which, as with fault models, correspond to mea- 
surement deviations. From the current state, a mea- 
surement deviation event causes a transition to a new 
state. The diagnosis for that new state represents the 
set of faults that are consistent with the sequence of 
events seen up to the current point in time. 

Accepting states correspond to a fault isolation re- 
sult. We say that a diagnoser isolates a fault if it ac- 
cepts all possible valid traces for the fault and the ac- 
cepting states map to diagnoses containing the fault. 

Definition 13 (Isolation). A diagnoser T>f,m isolates 
fault / £ F if T>f,m accepts all A/ ; m £ T/,m and for 
each s £ A that accepts some \f,M , / £ ^(s). 

Unique isolation corresponds to system diagnosabil- 
ity. We say that a diagnoser uniquely isolates a fault if 
each accepting state maps to the single fault. 

Definition 14 (Unique Isolation). A diagnoser T>f,m 
uniquely isolates fault / £ F if T>f.m accepts all 
A f m £ FfM an d for each s £ A that accepts some 
A f,M, {/} = T"(s). 

We would like to systematically construct a diag- 
noser for a system S that isolates all f £ F, and show 
that if S is diagnosable, then this diagnoser uniquely 
isolates all / £ F. This procedure has been developed 
in previous work (Daigle et ai, 2009). Here, we briefly 
review the main points. 

First, we construct a diagnoser, for each fault /, that 
isolates /, i.e., Dz/cm- These are shown in Fig. 3 for 
some of the faults of the three-tank system. They are 
constructed directly from the fault models F/.m, cf. 
Fig. 2. Because the fault model F/,m accepts the fault 
language Lf : M, it is easy to show that this diagnoser 
isolates /. 


5 
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Figure 4: Three -tank system centralized diagnoser for F = { G' , . C 2 , C 3 . Ill , Ill . Ill . Rf 2 , R 23 } and M = 
{91,92,93} 



Figure 5: Local diagnosers for the three-tank system for F\ = {C\ ,Rf,Rl 2 }, Mi = {91,92}, F 2 = 
{C 2 , R+, R+ 3 }, M 2 = {92, 93}, F 3 = {Cf, R+} and M 3 = {q 3 }. 


A composition operator is then defined that com- 
poses two diagnosers, such that if each diagnoser iso- 
lates its own set of faults, the composed diagnoser will 
isolate the combined set of faults. We may then com- 
pose the individual diagnosers into a global diagnoser 
T>f,m that isolates the complete set F. We have shown 
that the system defined by F and M is diagnosable 
if and only if the diagnoser constructed in this way 
uniquely isolates all faults in F (Daigle et al., 2009). 

The resulting global diagnoser for the three-tank 
system described in the earlier sections is given in 
Fig. 4. It is clear from this figure that the system is 
diagnosable, as each accepting state has a unique diag- 
nosis. In this case, a unique diagnosis is even known 
after only a single measurement deviation. The re- 
sulting diagnoser may be pruned to reduce diagnoser 
size by removing states and transitions occurring after 
a unique diagnosis is known (Daigle, 2008). 

5.1 Local Diagnoser Implementation 

The design of local diagnosers follows the same pro- 
cedure as the global diagnoser, i.e., given F, and M , 
for subsystem S t , we construct The local di- 

agnosers for the distributed diagnoser design example 
from the previous section are given in Fig. 5. Note that 
each local diagnoser except the third needs only two 
measurements, whereas the global diagnoser needs all 
three. As n increases, each local diagnoser still needs 
at most two measurements, whereas the global diag- 
noser needs all n measurements, significantly increas- 
ing its size. 

In terms of scalability, the distributed diagnosis 
scheme clearly improves on the centralized diagnosis 
approach. In the worst case, the size of a diagnoser 


increases factorially with the number of measure- 
ments (Daigle el al., 2009). Therefore, the fewer the 
measurements associated with a diagnoser to achieve 
local and global diagnosability, the smaller a diagnoser 
will be. By creating local diagnosers such that each di- 
agnoser uses only a limited number of measurements, 
each local diagnoser can be significantly smaller than 
the centralized diagnoser, and the combined size of all 
local diagnosers can be smaller also. 

The distributed diagnosis approach works as fol- 
lows. Each local diagnoser starts in its initial state. A 
measurement deviation event is received by all subsys- 
tems that include that measurement in their measure- 
ment set. If there is a matching event from the current 
state, a local diagnoser will follow that path to the next 
state, and remain active. If not, the local diagnoser will 
block, and its diagnosis result will be 0. The process 
continues until a local diagnoser reaches an accept- 
ing state. At this point, a globally correct diagnosis is 
known, if each subsystem was designed to be globally 
diagnosable. If so, no other local diagnoser may reach 
an accepting state. Therefore, a globally correct diag- 
nosis result is achieved without the use of a centralized 
coordinator. If the subsystems are not globally diag- 
nosable, then two or more local diagnosers may both 
reach an accepting state and a coordinator is needed. 
We may prove this result as follows. 

Theorem 1. Given a distributed diagnoser design 
where each subsystem Si is globally diagnosable, then 
if some f £ F occurs, exactly one T>i will uniquely 
isolate it, and all remaining diagnosers will give 0 . 

Proof. When / occurs it will produce some trace A, 
seen as ■ ■ ■, Xf t M n , to each T> t . Since F is par- 
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titioned (Assumption 1), / belongs to exactly one F, of 
Vi. Since S., is globally diagnosable, no other /, £ F t 
can produce a trace that is a prefix of , and since 
Vi is constructed correctly, it must capture A/.m, and 
will uniquely isolate /. Any other V :) will observe the 
trace A /,m , and, since Si is globally diagnosable, no 
fault fj £ Fj could produce a trace that is a prefix of 
that trace, so Vj will block, yielding 0. □ 

A globally correct diagnosis result may be declared 
earlier if a local diagnoser has not yet reached an ac- 
cepting state, but has a unique diagnosis, only if all 
other local diagnosers have blocked. A globally cor- 
rect diagnosis result may otherwise only be declared 
when all measurements for a subsystem have deviated 
(i.e., an accepting state is reached). These conditions 
correspond directly to those outlined in (Roychoud- 
hury et al., 2009) in the absence of the event-based 
framework. 

6 RESULTS 

As an example to demonstrate online diagnosis in this 
framework, consider a six-tank system, with /A]), oc- 
curring at time 10.0. The plots of <72 and (73 are shown 
in Fig. 6 . At time 10.3 a 0- is detected in ( 73 , using the 
symbol generation mechanism described in (Daigle et 
al ., 2010). Both the local diagnosers for S 2 and S3 use 
this measurement and compute this symbol. Partial di- 
agnosers (with some faults omitted) for these subsys- 
tems are shown in Fig. 7. The S 2 diagnoser moves to a 
state with f ?^" 3 as the sole candidate, and the S3 diag- 
noser moves to a state with f ? 34 as the sole candidate. 
At time 10.4, a 0+ is detected in q 2 . The S 2 diag- 
noser moves to an accepting state with R£ 3 as the sole 
candidate. The S3 diagnoser does not use this mea- 
surement so takes no action. Because the S2 diagnoser 
reached an accepting state, a global diagnosis has been 
achieved. 

For the scalability analysis, we consider n-tank 
systems where for i = l,...,n — 1 , f 7 ) = 

i c i ,C? ,Rf ,R~ ,R+ iJtV R~ i+1 } and for i = n, 
F t = {Cr,Cf,R+,R~}. The diagnoser design al- 
gorithm determines that for i = 1 , . . . , n — 1 , = 

Ui, < 7 i+i}. and for i = n, M+ = {%_!,%}, i.e., each 
subsystem pulls in a measurement from an adjacent 
subsystem. The local diagnoser for i = 1, . . . , n — 1 is 
always 13 states with 14 transitions for the non-pruned 
version, and 11 states and 10 transitions for the pruned 
version. For local diagnoser n, both the non-pruned 
and pruned versions have 7 states and 6 transitions. 

The scalability results of the approach as compared 
to a centralized approach are shown in Table 2. For 
both non-pruned and pruned diagnosers, we report the 
number of states, |Sj, and number of transitions, |<5|. 
For the local diagnosers, we sum the number of states 
over each diagnoser, £|Sj|, and the number of transi- 
tions, £|<5j|. The sum of the local diagnoser sizes in- 
crease linearly, whereas the size of the centralized di- 
agnoser increases exponentially, demonstrating a clear 
improvement in scalability. In the case of the pruned 
diagnosers, the centralized diagnoser size increases 
linearly as well, although its size is still larger than for 
the local diagnosers. The linear increase of the pruned 




Figure 6 : Six-tank predicted and observed flow out- 
puts. 




Figure 7: Some partial local diagnosers for the six-tank 
system 

V f.m is not a general result, but arises here because of 
the structure imposed by the measurement orderings. 

7 CONCLUSIONS 

We developed a formal framework for event-based 
qualitative diagnosis of continuous systems. Global 
and local diagnosers are automatically derived from 
fault signatures and relative measurement orderings, 
which, in turn, may be derived automatically from a 
system model. This results in a distributed diagnosis 
framework that eliminates the single point of failure 
associated with centralized diagnosis frameworks or 
distributed frameworks that require the use of a cen- 
tralized coordinator, while the local diagnosers still 
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Table 2: Scalability Results for the Multi-tank System 


Tanks 


Not Pruned 



Pruned 


\s\ 

\S\ E|Si| 

nsi\ 

\s\ 

\S\ S|5i| 

E|&| 

2 

19 

20 

20 

20 

17 

16 

18 

16 

3 

69 

96 

33 

34 

37 

28 

29 

26 

4 

113 

148 

46 

48 

55 

42 

40 

36 

5 

205 

284 

59 

62 

73 

76 

51 

46 

6 

335 

484 

72 

76 

91 

96 

62 

56 

7 

579 

840 

85 

90 

109 

116 

73 

66 

8 

845 

1264 

98 

104 

127 

136 

84 

76 

9 

1181 

1812 

111 

118 

145 

156 

95 

86 

10 

1595 

2500 

124 

132 

163 

176 

106 

96 


obtain globally correct diagnoses. The approach may 
be naturally applied to systems with clear subsystem 
boundaries. The distributed approach also scales well 
with an increase in the number of subsystems, particu- 
larly in comparison to a centralized diagnoser. 

The event-based framework presented here relates 
to discrete-event diagnosis methods, e.g., (Sampath 
et al., 1996; Zad el al., 2003), and also distributed 
discrete-event diagnosis methods such as (Debouk el 
al., 2000). Our approach may be viewed as an im- 
plementation of Protocol 3 in (Debouk et al., 2000), 
in which we solve the design problem to achieve the 
conditions for a coordinator-free approach. In (Ri- 
bot et al., 2008), local diagnosers are extended with 
communicated events and additional sensors. We as- 
sume a diagnosable system in which sensor selection 
has been performed initially. The use of measure- 
ment orderings is similar to (Meseguer et al., 2008; 
Puig et al., 2005), where signatures are derived from 
analytical redundancy relations, but do not utilize the 
rich symbol framework for fault signatures used here. 
In (Bayoudh et al., 2006), a similar approach is ap- 
plied to hybrid systems, where the events are defined 
as changes in ARR values due to mode changes. 

In future work, we will be extending the approach 
to multiple faults based on previous work in (Daigle 
et al., 2007a), and to hybrid systems, based on results 
presented in (Daigle et al., 2010). We will also in- 
vestigate alternative distributed design algorithms and 
design heuristics. 
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